Nortel Networks Contivity Secure IP Services Gateway 4600 Instrukcja Użytkownika Pobierz pdf (Strona 13)



 13

AuthenticationProtocol(PAP).MS-CHAPcanusenoencryption,40-

bitRC4,128-bitRC4encryption.WhenoperatedinaFIPS140-1

compliantmanner,MS-CHAPisnotenabledwithRC4encryption.

• L2TP:RequiresauthenticationusingMS-CHAPCHAP,orPAP.MS-

CHAPcanusenoencryption,40-bitRC4,128-bitRC4encryption.

WhenoperatedinaFIPS140-1compliantmanner,MS-CHAPisnot

enabledwithRC4encryption.

• L2F:RequiresauthenticationusingCHAP,orPAP.

2.5 KeyManagement

Theswitchsecurelyadministersbothcryptographickeysandothercriticalsecurity

parameterssuchasUserpasswords.Ephemeralsessionskeysarecreatedduringthe

negotiationofsecuretunnelsonbehalfofUserswhohavesuccessfullyauthenticated

themselvestotheswitchwiththeiruserIDandpassword.Thesekeysarecreatedfor

protocolslikeMS-CHAPandISAKMP,whichsecurelynegotiatekeyexchangeandthen

allowencryptionservicesforPPTP,L2TP,andIPSec.



Keysaredestroyedwhentheappropriatetunnel,SecurityAssociation(SA),orsessionis

terminatedandareneverarchivedorreleasedfromthedevice.Userpasswordscanbe

destroyedbytheCryptoOfficerorbyUsersoverwritingtheirownpasswords.All

passwordsarestoredintheLDAPdatabaseinanencryptedformat,andneverreleased.

Theyareusedonlyforauthenticationinkeyexchangeprotocols,whichprotectCritical

SecurityParameters(CSPs)accordingtotheirprotocol.(CryptoOfficersshouldbeaware

thatPAPtransmitspasswordinformationintheclearandshouldnotbeenabledbefore

decidinglocalpolicy.SeenotesonPAPintheContivityExtranetSwitchAdministrator’s

Guide.)



• SessionKeys:Theseareephemeralencryptionkeysusedbythemodulefor

encryptingpacketsduringIPSectunneling.Thesekeysarederivedduringthe

setupofthetunnelandusedonlyduringasecuretunnelsession.TheIPSec

tunnelmayuseeither56-bitDESorTDESforencryption.Thesekeysare

createdbysettingoddparityandcheckingforknownweakkeys.Thesession

keysareinternallyderivedfromtheInternetKeyExchange(IKE)/Internet

SecurityAssociationKeyManagementProtocol(ISAKMP-Oakley).These

protocolsarebasedonDiffie-HellmanKeyAgreement.IPSec“Pre-shared

keys”mayoptionallybeusedwithDiffie-Hellmantonegotiateashared

sessionkeyfromtheconcatenatedandSHA-1hashedvalueoftheuserIDand

password.



• DESpasswordkey:Thiskeyisusedtoencryptuserpasswordstobestoredin

themodule’sinternalLDAPdatabase.Thiskeyiscompiledintothemodule’s

codeandcanbezeroizedusingafloppytoerasethefirmware.Thefloppy

diskunitholdsa“format”utility.InordertozeroizetheDESkey(hard-coded

intothemodulefirmware),thecryptoofficermustruntheformatutility

1 2 ... 8 9 10 11 12 13 14 15 16

Komentarze do niniejszej Instrukcji

Brak uwag

Nortel Networks Contivity Secure IP Services Gateway 4600 Instrukcja Użytkownika Strona 13

Komentarze do niniejszej Instrukcji

Powiązane produkty i podręczniki dla Switche sieciowe Nortel Networks Contivity Secure IP Services Gateway 4600